I would also like the features requested in this thread: having the card locked again after a decryption/authentication and the possibility to easily unplug and replug an ID-000 reader.
Werner Koch wrote: > If you are talking about malware on your box, nothing will help you. > You don't have any control anymore on your box. The only advantage > you have is that the bot needs to wait until you enter the PIN the > next time and then it can replay the PIN as needed. Oh, you are using > a pinpad reader - well in this case the malware just et you sign > something it is interested in and not what you assume. This is also about physical access. If I use the smart card and leave the workstation for a moment (and forget to lock the card again), somebody can sit down at my workstation and happily decrypt my gpg files and use ssh to log in to other systems. Sure, physical access can cause lots of trouble, but it takes more time and effort than just typing "ssh interesting-host". I don't feel comfortable about it. >> 2. Couldn't scdaemon be configured to also access the signature key on >> the card every time, even if only the authentication or encryption key >> is needed? > > Why would you want to do that? See above. I'm not really convinced about the security of this method anyway. Access control should be at the card. However, how about powering down _and_up_ the card after every auth/decrypt? Configurable, of course. That way, PIN entry can start immediately when the next auth/decrypt turns up, without the delay of powering up and initialising the card (actually, the delay has been moved to the moment after the previous use). Greetings, Peter. PS: I also use the internal CCID driver. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt (new, larger key created on Nov 12, 2009) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
